Phishing Scams: Don’t Take The Bait

In the cyber-security fight, employees can be a business’s greatest asset – or their biggest threat. We explore how you can turn employees into the first and best line of defence.

Phishing is not a new challenge for businesses, but it is a dynamic one that continually evolves and becomes more sophisticated. News stories have demonstrated that no organisation is safe. From the leaked emails from Hillary Clinton’s presidential campaign chairman John Podesta to this year’s global Petya cyber attack, which looks set to cost container ship operator Maersk $300m (€260m), phishing is used to devastating effect on a regular basis.

With cybercriminals targeting businesses, it’s crucial for staff to be aware and be prepared of the potential threats. Smaller businesses are possibly more vulnerable: the National Business Crime Survey 2017, published in September by Irish SME association ISME, showed that 81% of SMEs had reported an attack on their firm in the past year.

What is phishing?

Put simply, phishing is a cybercrime in which the victim is contacted by email, telephone or text message by fraudsters posing as a legitimate company. The aim is to trick the victim into disclosing data such as banking details or passwords, or into making a payment into a bogus account.

Any sensitive information the victim reveals can be used to access the company’s infrastructure or personal accounts to steal money or information, or to commit identity theft.

Some of the most common types of phishing are:

Deceptive phishing: this takes the form of bogus emails, usually asking recipients to provide personal information such as account details and passwords.

Spear phishing: more sophisticated than traditional deceptive phishing, spear phishing involves researching a specific target in order to mount a more convincing attack.

BEC (business email compromise) scams/CEO fraud: in this case, the fraudster can either gain access to an email account or use it to send out emails – for example, from a CEO asking an employee to make a payment into a bogus account – or create a counterfeit email address to commit the fraud.

Dropbox phishing: mails claiming to be from Dropbox request the user to click through to secure their account or download a document.

Vishing (voice phishing): the attacker makes a call to the victim and persuades them to reveal personal information such as bank account details, or to make a payment over the phone.

Malware: malicious software is sent to the victim’s computer, usually as a link in an email, which is activated when the victim clicks on the link.

Ransomware: this type of malware blocks your access to your system or device until you have paid a ransom.

People as the gateway

Today, people are more alert to deceptive phishing and know to check emails for telltale signs such as spelling or grammar mistakes, or links that do not lead to where they claim to go. This has led to a decline in this type of phishing. Other methods, however, are on the rise.

“Ireland, in common with many countries, has seen a rise in CEO fraud in recent years, often starting with spear phishing,” says Chris Davey, master technology architect at Accenture in Dublin.

“Investing in your staff’s knowledge is the best investment to secure a business”

Ronan Murphy, CEO, Smarttech

“Humans tend to be seen as the weakest link,” adds Ivan Quill, pre-sales technical architect for Dublin-based IT security experts Integrity360. “Most recently, we investigated a phishing attack disguised as a Microsoft Office 365 notification which was sent to a senior executive in an Irish organisation, seemingly from a known contact of theirs requesting to share files with them. Because the sender name was familiar to them, the link was clicked without a second thought.”

Pat Moran, cyber-security leader for PwC Ireland, says that simulated attacks on clients provide a sobering measure of how easy it is for scammers to trick staff. PwC’s simulated phishing attacks show that, on average, one in three people will open a phishing email and, of those, almost 50% will click on the link contained within it. Vishing catches out 15% to 20% of those targeted.

“The losses an attack can cause are significant,” says Moran. “Average losses are over €1,000 per person in terms of monetary loss or ransomware payments, but the biggest issue is often the reputational loss for the organisation.”

How to respond

Catching an attack early can help prevent the situation from escalating, says Ken Allan, cyber-security expert at PA Consulting Group, which operates in Ireland and globally. “It’s likely that a phishing attack is an early stage of a more serious cyber attack and steps taken early may help to prevent or reduce the impact of such an attack.”

However, victims of phishing often wait before informing management. It’s therefore vital to create a culture within the business in which employees understand the importance of a rapid response.

If usernames or passwords have been disclosed, you should change all of these immediately. Another priority is to establish whether information or money has been lost, and whether this can be quantified or recovered.

“Also, decide whether you need to tell all customers, bearing in mind that news can get out on social media very quickly,” says Moran. “Regulators and data protection commissioners also need to be informed, so there’s a whole incident response plan that needs to be activated relative to the level of attack that has occurred.”

Building a human firewall

While many businesses have software to help identify phishing emails or web pages that contain malware, all businesses will benefit from an education and awareness programme to help employees understand the risks and how to respond. Ideally, it should include simulated attacks to keep awareness high.

“Training should be continuous and monitored. Investing in your staff’s knowledge is the best investment to secure a business,” says Ronan Murphy, CEO of security operations centre Smarttech, which has offices in Cork and Dublin.

Ultimately, your employees can be your first, and sometimes last, line of defence and training them properly can spare you a lot of costly repercussions.

How to spot a phishing email

Ivan Quill recommends you check the following to detect phishing emails:

The content of the email – if you’re not expecting to receive an email of that kind you should be on high alert about the links contained within.

The sender email address – phishing emails commonly come from an email that looks like the legitimate address but is slightly different from it, perhaps containing typos.

The link URL – hovering the mouse over the link or button will show you what URL the link is directing to. If this website is not recognised, it should be avoided.

Five steps to greater cyber security

Advise users to be extra cautious when being asked to click links or open attachments from an untrusted source. CEOs and senior executives should be extremely wary of suspicious emails that look like they came from senior executive accounts. If in doubt, make a call to check.

Implement two-factor authentication for all users, especially with cloud services such as Office 365.

Comments
2

An excellent reminder of some simple steps to help prevent phishing. One of the topics we will cover in the "Protecting your business in the 21st century" session we are holding in conjunction with Dogpatch labs on Monday 13 November. See the events section.

An excellent reminder of some simple steps to help prevent phishing. One of the topics we will cover in the "Protecting your business in the 21st century" session we are holding in conjunction with Dogpatch labs on Monday 13 November. See the events section.